A hacker has leaked 40 million Wishbone user records that contain a treasure trove of information that could be used to perform phishing campaigns, account takeovers, and credential stuffing attacks.
BleepingComputer has been able to independently confirm that the data is legitimate as it contains user records for people we know have used the app and who have confirmed the accuracy of the data.
Wishbone database leaked on hacker forums
Wishbone is a popular app for iOS and Android that allows users to create comparisons between two images that people can then vote on.
For weeks, BleepingComputer has been aware of a data breach broker selling an alleged database containing 40 million user records for the Wishbone app through private deals.
According to cyber intelligence firm Cyble, who shared this information with BleepingComputer, the database was circulating privately since March.
Yesterday, a different data breach seller publicly advertised the sale of the Wishbone database on a popular hacker forum where they were selling it for $8,000.
This seller told BleepingComputer in previous conversations that he collects, trades, and buys databases from data breaches and then sells them to others.
We were also told that this database was dumped at the end of January 2020.
Today, another data breach seller and competitor known as Shiny Hunters, decided to leak the entire database for free on the same hacker forum.
Shiny Hunters have been responsible for the sale of numerous data breaches, including one for Microsoft's private GitHub repository. Since then, some of these have been confirmed as data breaches by the affected companies.
We can expect to see tensions escalate between the two threat actors as both brokers are known to sell legitimate data.
This could lead to other private databases being leaked for free as each tries to spoil the other's sales.
What's in the database
Samples of the Wishbone database have been shared with BleepingComputer that unfortunately contains a great deal of data that can be useful to threat actors.
This exposed data includes usernames, email addresses, hashed MD5 passwords, mobile numbers, Facebook and Twitter access tokens, gender, date of birth, MD5, profile images, and much more.
A full list of the exposed information can be seen in the leaked table structure below:
uid,username,email,name,mobile_number,country_code,fbid,access_token,auth_token,ip,create_time,twitter_id,twitter_access_token,twitter_access_secret,gender,date_of_birth,password,image,follower_count,device_token,android_device_token,is_admin,timezone,displaying_post_date,is_device_active,shared_for_date,show_second_session_date,apple_idfa,google_advertiser_id,stickers_left,deleted_at,updated_at
BleepingComputer has contacted Wishbone with a sample of the data but has not received a response.
Unfortunately, this is typical for companies that we contact to notify of alleged data breaches.
What should Wishbone users do now?
As some of the exposed data in this database file has been confirmed as accurate, it does appear to be a legitimate breach.
Due to this, out of an abundance of caution, I would suggest that all Wishbone users immediately change their passwords on the app.
If they have logged in via Facebook or Twitter, it is also suggested that you disconnect these apps from your Facebook account and Twitter accounts until it is confirmed if the data breach is real.
Finally, if you use your Wishbone password at other sites, you should change it there.
To check if your information was exposed in this database, you can check using Cyble's AmIBreached data breach lookup service.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now